Altares Dun & Bradstreet - General Terms & Conditions

Last updated on: July 1, 2021

Definitions

Anti-Corruption Laws

Means the European and local anti-corruption legislation, guidelines and industry standard in force in the relevant jurisdiction;

API (Application Programming Interface)
Means an applicative programming interface that grants Customer access to the Services;
Confidential Information

Means any information (i) which has been qualified as confidential by a Party, orally or by writing or (ii) which, by its nature, character or method of disclosure would be regarded as confidential by a reasonable person in identical circumstances;

Customer

Means Customer of D&B on whose behalf this MA has been signed or electronically accepted (as applicable);

Customer Affiliate

Means any entity which, directly or indirectly, controls, is controlled by, or is under common control with a Party, where “Control” means having the right to decide, directly or indirectly, the manner of exercising more than fifty percent (50%) of the votes in a general assembly of an entity or more than fifty percent (50%) of the votes in a meeting of the executive body of an entity;

D&B

Means DUN & BRADSTREET BV, Montevideo Offices, Otto Reuchlinweg 1032, 3072 MD Rotterdam, the Netherlands Tel: +31 (0)10 710 95 60, known under the trade name Altares – Dun & Bradstreet and part of the Altares Group;

DUNS® Numbers

Means the unique serial numbers which identify a business and which are proprietary to and controlled by DUN & BRADSTREET, INC. 101 John F. Kennedy Parkway, Short Hills, NJ, 07078, US;

Effective Date

Means the date (i) this MA is signed on behalf of Customer, or (ii) if entered into electronically the date on which Customer signifies its acceptance of this MA in accordance with the procedures specified from time to time by D&B;

Information

Means all information of legal, commercial and/or financial nature regarding one or several local and/or international companies, as well as its representation in the form of data, which D&B owns the Intellectual Property Rights or licence rights to, that is included in D&B’s database and provided to Customer via the Services. Information may include Personal Data;

Insolvency Event

Means (i) if a Party is being declared bankrupt, applying for a suspension of payments or petitioning for application of the debt restructuring provision referred to in the Dutch Bankruptcy Act and for any other relevant law, or, to the extent applicable, steps are taken to put a Party into administration, propose or enter into any arrangement, scheme, moratorium, compromise or composition with that Party’s creditors, take any other steps to enter insolvency proceedings and/or wind up that Party, (ii) if a Party shall be unable to pay its debts, (iii) if a trustee receiver, administrative receiver or similar officer is appointed in respect of all or any material part of the business or assets of a Party; (iv) if a meeting is convened for the purpose of considering a resolution, or other steps are taken for the winding up of any Party (otherwise than for the purpose of an amalgamation or reconstruction) or for the making of an administration order or other appointment of an administrator in respect of a Party, or any such order or appointment is made or effective resolution is passed to wind up a Party;

Intellectual Property Rights

Means any and all intellectual property rights and industrial property rights of any nature whatsoever including without limitation patents, patent applications, copyright, know-how, technical and commercial information, designs, design rights, internet domain names, database rights, trademarks, service marks or business names, applications to register any of the aforementioned rights, trade secrets and rights of confidence, in each case in any part of the world and whether or not registered or registrable;

Order

Means a valid order for Information, Services and/or Programs which has been accepted by D&B in accordance with the terms of this MA;

Party and Parties

Means individually D&B or Customer and collectively D&B and Customer;

Personal Data

Has the meaning as defined in the European Union Regulation 2016/679;

Privacy Laws

Means the European Union Regulation 2016/679 and any other applicable data protection legislation, guidelines and industry standards in force in a relevant jurisdiction, relating to the use and processing of personal data in that jurisdiction;

Processor

Means a third party processor as defined in the European Union Regulation 2016/679;

Programs

Means the computer programs or applications (including those accessed remotely) that allow access to the Services by Customer and/or the User. The Programs may include API’s or Websites, or any other program defined in the Order.

Services

Means the provision of the Information by D&B to Customer via the Programs. The Services are described in the Order and, if applicable, in the additional contractual documents listed in the Order;

Territory

Means those countries or regions identified in a particular Order, included in the scope of the licence to use the Information, Services and/or Programs;

Update

Means the functional corrections, bug or error corrections or modifications made to the API or Programs that are provided to D&B’s customers, including Customer, that might imply a version change;

Upgrade

Means the modification or addition of important functions of the Programs requiring a version change;

Users

Means the employees and contractors of Customer and, if applicable, of Customer’s Affiliate(s) who access and/or use the Information, Services and/or Programs on Customer’s behalf. For the purpose of this definition, “contractor” means any person not an employee of Customer who performs the functions of an employee for Customer on a temporary basis;

Website

Means an online platform that allows access to the Services via the internet. URL’s of the website are set out in the Order.

2. Acknowledgement

2.1
No obligation to furnish or pay for any Information, Services, or Programs arises under this MA until D&B accepts the applicable Order, either (i) in writing (by the signature of an authorized D&B representative or delivery of a D&B invoice to Customer in connection with such Order) or, (ii) electronically in accordance with the electronic acceptance procedures specified from time to time by D&B.

2.2
All Orders are, from the Effective Date of this MA, subject to the terms of this MA, and the terms of all such Orders are by reference incorporated in this MA. All Information, Services, and Programs will be supplied in accordance with and subject to the terms of this MA and the applicable Order.

3. Duration - renewal

3.1
Unless otherwise stipulated in the Order, any Order is entered into for a minimum term of twelve (12) months (the “Initial Period”).

3.2
After the Initial Period, the Order shall be automatically renewed for successive twelve (12) months periods, unless any one of the Parties withdraws from it by prior written notice, no later than sixty (60) days before the renewal date of the Order.

4. Affiliates

4.1
Any Customer Affiliate may place Orders with D&B by submitting an Order to D&B which Order shall be governed by the terms set out in the Order and this MA.

4.2
Where a Customer Affiliate places an Order, Customer Affiliate shall be regarded as Customer for the purposes of that Order and this MA and all references in that Order and this MA to Customer shall accordingly be construed as referring to the relevant Customer Affiliate.

4.3
Where Customer places an Order on behalf of a Customer Affiliate Customer hereby represents and warrants that (i) it has the authority to bind Customer Affiliate to the terms of that Order and this MA and (ii) it remains liable to D&B for any failure by Customer Affiliate to comply fully with, or in connection with any breach by Customer Affiliate of the terms of that Order and/or this MA.

5. Intellectual property rights and license to use the services

5.1 Intellectual property rights
5.1.1 - Customer acknowledges that the Information and Programs are proprietary to D&B and may include copyrighted works, trade secrets, patented or patentable inventions, databases, or other materials created by D&B at great effort and expense, or on which D&B has obtained from third parties the licence rights necessary for the purpose of an applicable Order. D&B retains all Intellectual Property Rights in the Services and nothing in this MA shall be deemed or construed as an assignment or transfer of legal interest by D&B to Customer of any Intellectual Property Rights. Customer obtains only such rights as are explicitly granted in this MA. Customer will not contest the validity of, or D&B’s Intellectual Property Rights in or ownership of, the Information or Programs in any way. As far as possible, Customer will reproduce D&B's copyright and proprietary rights legend on all copies of Information and Programs.
5.1.2 - DUNS® Numbers are the exclusive property of DUN & BRADSTREET, INC. D&B hereby grants Customer a non-exclusive perpetual limited licence to use DUNS® Numbers (excluding linkage DUNS® Numbers) solely for identification purposes and only for Customer's internal business use. Where practicable, Customer will refer to the number as a "DUNS® Number" and shall state that “DUNS® is a registered trademark of DUN & BRADSTREET, INC.
5.2 Licence to use the information, programs and/or services
5.2.1 - Upon acceptance of an Order by D&B and subject to the terms of this MA, D&B will grant Customer a non-exclusive, non-transferable, revocable licence for the time period, and upon the terms set out in an Order, if applicable, for such number of Users as are specified in the relevant Order to access and/or use the Information, Services and/or Programs supplied pursuant to that Order. Unless expressly permitted in an Order, Customer may not sub-licence in whole or in part or grant any rights in or to the Information, Services, or Programs to any other Party.
5.2.2 - Information, Services, and Programs are licenced to Customer for its internal use only. Customer will not make available or permit any other Party to access or use any of the Information, Services or Programs in whole or in part, whether directly or indirectly, in any media; or use or permit the use of Information, Services or Programs (i) to generate any statistical or other information that is or will be provided to third parties (including as the basis for providing recommendations to others), (ii) to prepare any comparison to other information databases that is or will be provided to third parties, or (iii) more generally, in connection with providing advice or recommendations to third parties.
5.2.3 - Unless otherwise stipulated in the Order, the Territory on which the licence is granted to Customer is the Dutch territory. Customer agrees that it shall (and shall procure that its Users shall) only access and/or use the Information, Services, and Programs to support its business operations within the Territory. Customer shall not set up or share any user IDs, passwords, or Information with persons located outside the Territory.
5.3 Restrictions on use and security obligations
5.3.1 - Customer will not (i) attempt to access, use, modify, copy, reverse engineer, or otherwise derive the source code of Programs, or (ii) copy, download, upload, or in any other way reproduce Information or Programs, except for creating a reasonable number of copies of Information in any format for internal use only in accordance with the MA and/or any applicable Order and not for general internal distribution.
5.3.2 - Customer will not voluntarily produce any Information in legal proceedings without D&B’s prior written consent. Where Customer receives a subpoena, summons, warrant, or governmental order requiring it to produce any Information in legal proceedings, Customer shall (i) promptly notify D&B with details of the requirement and the Information it intends to produce, and (ii) take all reasonable steps (a) to minimize the Information produced and (b) to obtain written confidentiality undertakings in its favour with respect to any Information produced.
5.3.3 - Each Party shall implement and maintain security measures that effectively restrict access to the Information and Programs only to authorized Users and/or its employees with a need to know, and protects the Information and Programs from unauthorized use, alteration, access, publication, and distribution.
5.3.4 - When the purpose of the provision of the Information to Customer is set out in an applicable Order, it shall be acknowledged as a restrictive condition, excluding the use of the Information, Services, and/or Programs for any other purpose.
5.3.5 - Both Parties undertake to perform their rights and obligations under an applicable Order in strict compliance with the applicable laws and regulations (including without limitation Privacy Laws and Anti-Corruption Laws). Customer will not use any service to engage in any unfair or deceptive practice or in connection with any criminal activity.
5.3.6 - With the prior written consent of D&B (which may be given by email), Customer may engage a Processor to host and/or process Information provided that Customer has a valid written agreement with the Processor (“Processor Agreement”) that stipulates (at a minimum) that (a) the Processor's access to and use of the Information shall be limited solely to the performance of specific services for Customer and the Processor may not copy or use the Information for any other purpose, (b) the Information is the property of D&B and may not be disclosed or distributed by the Processor to any other Party, (c) upon the earlier of termination of the Processor Agreement or the termination or expiry of this MA or all applicable Orders, the Processor shall return the Information to D&B or certify its destruction to D&B, (d) Customer acknowledges that Customer is the “Controller” (as defined in the European Union Regulation 2016/679) and that the Processor is the “Processor” (as defined in the European Union Regulation 2016/679) of the Information for the purposes of applicable Privacy Laws, and (e) that Processor will comply with any applicable Privacy Laws. Customer (i) shall be responsible for Processor’s compliance with the Processor Agreement and (ii) shall indemnify and keep indemnified D&B against any claims that arise by virtue of the Processor's breach of or failure to comply with the terms of the Processor Agreement. Such Processors may not use Information for the purpose of making credit, marketing, or supply decisions on Customer’s behalf. If Customer requests and D&B approves the use of a Processor at a location outside the Netherlands, then D&B and Customer shall discuss the additional fees payable under the applicable Order.
5.4 Audit
On not more than one (1) occasion in any twelve (12) month period, or such further occasions as may be required by applicable laws, and on reasonable notice and during normal business hours, Customer will permit (and where applicable will procure that its Processor will permit) D&B to inspect the locations at, or computer systems on which, Information and Programs are used, stored or transmitted. D&B will limit any inspection to the extent reasonably necessary to confirm compliance with the terms of this MA, relevant Orders, and applicable laws. If required by Customer D&B will enter into a confidentiality agreement (in a form reasonably acceptable to D&B) in respect of any information that its representative may incidentally acquire while carrying out an inspection.
5.5 Trademarks
Each Party undertakes to obtain prior and express authorization from the other Party prior to (i) use of a trademark or any other intellectual property or registered element of the other Party or its affiliates, (ii) issuing a press release relating to the MA and/or Order or (iii) quoting the name and the brand of the other Party within a marketing operation.
5.6 Third Party Intellectual Property Rights
D&B warrants to Customer that (i) it has the right to grant the licence set out herein and (ii) to D&B’s knowledge, the Information, and Programs, when used in accordance with this MA, do not violate any existing third party Intellectual Property Rights in the Territory, as of the Effective Date and for the duration of the applicable Order. The foregoing warranty does not apply to the extent Customer is not using the most up-to-date Programs version, or modifies the Information or Programs in any way, or combines the Information or Programs with material not supplied by D&B.

6. Payment

6.1
Unless stipulated otherwise in an applicable Order, Customer will pay all fees due to D&B (together with any applicable VAT) for each Order within thirty (30) days of the applicable invoice date.

6.2
Contractual interest of 1,5% per month may be applied, without the need for a reminder, to any outstanding and undisputed fees due from Customer to D&B until paid, unless the statutory interest rate is higher, in which case the statutory interest rate is applicable.

6.3
Without prejudice to any other rights or remedies of D&B under this MA, an applicable Order or at law, if any fees remain unpaid D&B may suspend the provision of the Services without prejudice to D&B’s rights of termination hereunder.

6.4
Prices and product descriptions for specific Information, Services or Programs shall be as set out in the relevant Order, or, if not set out in the Order, then the applicable pricing shall be the one in force at the time of the Order date.

6.5
If Customer exceeds the permitted usage in an Order, Customer will be invoiced for such excess usage at the rate set out in the relevant Order, or, if not set out in the Order, then the applicable pricing shall be the one in force at the time of the Order date.

6.6
If an applicable Order continues beyond the initial period, the prices of the Services will be subject to annual revision, on the date of renewal of the Order by applying the Dutch Consumer Price Index All Households (Consumentenprijsindex alle huishoudens) 2015=100 in accordance with the price indexation number of the previous calendar year.

6.7
Subject to compliance with the notification procedure described herein, D&B may, at any time during the term of the Order, modify the rates applicable to the Services. Any modification of the rates applicable to annual licences will be applicable from the date of renewal of the licence. D&B will inform Customer of the terms and conditions of this modification prior to its implementation. Customer may refuse this modification by the termination of the applicable Order(s) by giving notice to D&B within thirty (30) days of the above mentioned information. In the absence of the termination of the Order(s), Customer is deemed to have accepted the tariff modification.

6.8
Any dispute relating to invoicing shall be addressed to D&B no later than two (2) months from the applicable invoice date.

7. Obsolescence

7.1
D&B may make Updates or Upgrades to the Services with reasonable prior notice, provided that (i) there is no charge to Customer unless mutually agreed, (ii) the updated or upgraded Services serve the same use case with similar product capabilities and functionality, (iii) D&B provides reasonable technical support and training, (iv) the conditions applicable to any new feature will be communicated to Customer.

7.2
Solely for APIs, D&B maintains access to the prior version of the API for a reasonable period of time, after which the API will no longer be maintained. If the Update or Upgrade is subject to additional charges, Customer may terminate the concerned API within thirty (30) days from the date of written notice by D&B of the change.

7.3
D&B may sunset a Service with twelve (12) months advance notice. This notice may be reduced to a shorter period (i) as mutually agreed or (ii) if Service’s sunset is necessary to address material and imminent risks relating to regulatory or compliance requirements, in which case contracted fees after discontinuation may be reduced as mutually agreed by Parties.

8. Liability

8.1
Though D&B uses extensive procedures to keep its database current and to promote data accuracy Customer acknowledges that due to its nature and sources the Information may contain a degree of error. Customer is responsible for determining whether Information supplied by D&B is sufficient for Customer’s use and Customer shall use its own skill and judgement when relying upon the Information. Customer assumes full responsibility for the use of the Services provided by D&B.

8.2
Other than as explicitly stated in this MA or an applicable Order, (i) all Information, Services, or Programs are provided on an “as is”, “as available” basis, without any warranty or representation regarding the availability of a service, service levels or performance (ii) D&B disclaims all warranties, express or implied, including any warranties of accuracy, completeness, currentness, quality or fitness for a particular purpose, (iii) D&B does not warrant that the services will be uninterrupted or error-free.

8.3
The aggregate liability for either Party with respect to a particular Order will not exceed the sums payable by Customer to D&B in respect of one (1) contractual year in such Order.

8.4
Unless specifically provided to the contrary in this clause 8, neither Party shall have any liability to the other Party for any damages other than direct damages.

8.5
The liability limits set out in this clause 8 shall not apply to (i) death or personal injury of each Party’s employees, agents or subcontractors; (ii) wilful misconduct or gross negligence of a Party and; (ii) for claims arising out of infringements of intellectual property rights.

9. Confidential information

9.1
Each Party undertakes to: (i) treat all Confidential Information disclosed by the other Party in the same way that it treats its own confidential information; (ii) to use it for the sole purpose of fulfilling its contractual obligations and/or for internal analysis purposes. D&B may share Confidential Information with its employees and third-party service providers with a need to know in order to fulfil its obligation pursuant to an applicable Order and in furtherance of the provision of Services, provided that such employees and service providers are subject to confidentiality obligations substantially as restrictive as those set forth herein.

9.2
Confidential Information shall not include information that: (i) is or becomes part of the public domain without breach of this MA and/or an applicable Order, (ii) information which was lawfully in the possession of a Party before being disclosed to it by the other Party, (iii) information that was disclosed by a third party with the right to disclose such information without restriction or (iv) is independently developed by D&B without the use of or reference to the Confidential Information.

9.3
Customer shall not disclose the negotiated pricing or terms of this MA, or any Order, to any third party (save where it is required to do so by a governmental body in which case it shall take all reasonable steps to minimize such disclosure and to obtain written confidentiality undertakings in its favour with respect to such disclosure).

10. Personal data

10.1
Each Party undertakes to comply with Privacy Laws relating to the processing of Personal Data applicable under an applicable Order. The terms and conditions for the processing of Personal Data by D&B are specified in the Appendix "Processing and Protection of Personal Data ".

10.2
Each Party undertakes to proceed all the necessary declarations and administrative procedures provided by the Privacy Laws with the competent authorities and, more generally, to assume all the responsibilities and obligations arising from the applicable legislation, in particular in the event of the transfer of Personal Data.

10.3
Each Party warrants to respect Privacy Laws in its relations with third parties (including data processors, partners, etc.) concerning the processing of Personal Data.

10.4
Each Party shall take the appropriate precautions, in regard to the nature of the Personal Data and the risks presented by the processing, to preserve the security of the Personal Data and, in particular, to prevent them from being distorted, damaged, or accessed by unauthorised third parties.

10.5
The Parties agree to transmit without delay to the other Party: (i) any request relating to the right of access, rectification, or opposition to Personal Data processed under an applicable Order; and (ii) any request made by an administrative or judicial authority relating to Personal Data processed under an applicable Order or to the conditions of their processing that the other Party should address.

11. Subcontracting

D&B is authorized to use sub-contractors and service providers in the provision of all or part of the Services and undertakes to provide a list of these at Customer’s request. D&B remains, however, the sole debtor of its obligations under an applicable Order.

12. Termination

12.1
This MA will continue in full force and effect unless and until terminated in accordance with this paragraph 12. Orders will continue in full force and effect for the licence period specified in the applicable Order unless and until terminated in accordance with the terms of that Order or this paragraph 12 (as applicable).

12.2
In the event of a breach by one of the Parties of its contractual obligations, and failure to remedy such breach within thirty (30) days following a formal notice sent by registered letter with acknowledgement of receipt, the other Party may terminate the MA and/or any applicable Order by sending a registered letter with acknowledgement of receipt.

12.3
In the event of a breach of the provisions regarding Intellectual Property Rights and Licence to use the Service, Confidential Information and/or Personal Data by Customer, D&B may immediately suspend the Services and/or the access and use by Customer of any Information or Programs without prior notice. D&B will inform Customer of such suspension without delay. If the breach is remedied (to D&B’s reasonable satisfaction) within seven (7) days of D&B giving such notice to Customer, D&B shall promptly reinstate the Services and permit Customer to resume accessing and using the Services, or if such breach is not remedied or capable of remedy, D&B may terminate the MA and/or any applicable Order upon giving Customer no less than seven (7) days written notice.

12.4
Either Party may terminate this MA and any applicable Orders immediately by notice in writing if the other Party suffers an Insolvency Event.

12.5
Termination of this MA will result in the immediate cancellation of all Orders. Either Party may terminate this MA by written notice at such time as there are no active Orders by giving no less than thirty (30) days written notice to the other Party.

12.6
Upon expiry or termination of this MA or a relevant Order (or upon receipt of Programs or Information that is intended to supersede previously obtained Programs or Information), unless D&B and Customer agree otherwise in writing, Customer will promptly (and no later than seven (7) days after the termination of this MA or a relevant Order) delete or destroy all originals and copies of the Information and/or Programs, as applicable, and upon request, provide certification. Notwithstanding the aforesaid, Customer may retain a single copy of the Information (but not the Programs) for regulatory compliance and archive purposes, provided always that such retained copy may not be used for any commercial purpose.

12.7
If, without D&B's written permission or as otherwise permitted hereunder, Customer continues after expiry or termination of an Order or this MA to access or use Services, Information and/or Programs, in addition to any other remedies available to D&B, Customer will be liable to pay D&B for the Services, Information and/or Programs Customer has continued to access and/or use at the amounts provided for in a specific Order for such Services at the date of termination or, in case the prices are not set out in the Order, at the premium “pay-as-you-go” rate applicable on the date of expiry of the Order and on such terms as to payment as D&B shall specify.

12.8
Except where exclusively caused by a breach of D&B, the termination of an applicable Order does not entail any obligation to refund the sums paid by the Customer.

12.9
The exercise by D&B of any rights of suspension or termination under this paragraph shall be without prejudice to any other rights or remedies which D&B has under this MA, an applicable Order, or at law.

12.10
Any provisions set forth in this MA which by their nature are intended to survive termination of this MA will be deemed to survive termination of this MA.

13. Miscellaneous

13.1 Entire agreement. This MA, all Orders and, if applicable, any data transfer or processing agreements between D&B and Customer, any attached addendums, appendices, and schedules, and any applicable online service terms in effect from time to time, constitute the entire agreement between D&B and Customer regarding the Information, Services, and Programs. All prior agreements both oral and written between the Parties on the matters contained in this MA are cancelled, replaced, and superseded by this MA. Any Order in effect at the Effective Date shall from the Effective Date be subject to the terms of this MA. In no event shall any Customer terms or conditions (including those in or attached to a Customer’s purchase order) apply to any Order or vary this MA. The headings in this MA are for ease of reference and shall not affect its interpretation.

13.2 Precedence. In the event of a conflict between the terms of this MA and any Order, the terms of the Order shall prevail in relation to that conflict.

13.3 Severability. If any provision of this MA or an Order shall be found by any court or administrative body of competent jurisdiction to be invalid or unenforceable the invalidity or unenforceability of such provision shall not affect the other provisions of this MA or an Order, which will otherwise remain in full force and effect. The Parties hereby agree to attempt to substitute for any invalid or unenforceable provision a valid or enforceable provision that achieves to greatest extent possible the same economic, legal, and commercial objectives.

13.4 Waiver/Amendment. The failure to exercise a right provided by this MA, an Order, or at law shall not constitute a waiver of that right. If a Party waives a breach of any provision of this MA or an Order this shall not operate as a waiver of any subsequent breach. Any amendment, addendum, or waiver relating to this MA or any Order must be in writing and signed by both Parties.

13.5 Assignment. Neither Party may assign any of its rights and/or obligations under this MA without the prior written consent of the other Party, save that D&B may assign the MA (i) to any other D&B group company which controls, is controlled by or is under common control with D&B or (ii) as part of a restructuring or consolidation or the sale of substantially all of D&B's assets, to the beneficiary of such operation. Any assignment in breach of this paragraph is void.

13.6 Force Majeure. Neither Party shall be liable for any delay in performing, or failure to perform, any of its obligations under this MA or any Order if such delay or failure result from events, circumstances, or causes beyond its reasonable control, and in such circumstances either Party shall be entitled to a reasonable extension of the time for performing such obligations, provided that, if the period of delay or non-performance continues for thirty (30) consecutive days, either Party may cancel the affected Order by giving no less than fourteen (14) days written notice to the other Party, sent by registered letter with acknowledgment of receipt.

13.7 Notices. Any notice to be served on a Party shall be in writing and may only be served by sending it by registered letter with acknowledgment of receipt. Email may be used for routine communication and where otherwise expressly permitted in this MA or an Order. For the avoidance of doubt, email notices shall not amount to notice in writing or a written instrument for the purposes of termination for breach, waiver, and assignment paragraphs.

13.8 Insurance. D&B has subscribed to necessary insurance policies for the exercise of its activity in a notoriously solvent company and accepts, at Customer’s request, to provide the aforementioned with a certificate thereof.

13.9 Third party rights. A person who is not a party to this MA has no right under the MA or at law to rely upon or enforce any term of this MA.

13.10 Choice of law and jurisdiction. This MA and each Order (and any contractual and non-contractual obligations relating to or arising out of them) shall be governed by and construed in accordance with the laws of the Netherlands. Any dispute relating to this MA and/or any applicable Order, and in particular to the interpretation, performance, or validity of any Order or any of its stipulations, shall be subject to an attempt at amicable resolution by the Parties within ten (10) business days from receipt by one of the Parties of the notification of the dispute by registered letter with acknowledgement of receipt sent by the other Party. In the absence of agreement between the Parties within thirty (30) days from said meeting, the dispute shall be brought before the courts of Rotterdam.

APPENDIX 1 – PROCESSING AND PROTECTION OF PERSONAL DATA

D&B is committed to ensuring that its activities comply with its obligations regarding the protection of Personal Data and to implement all necessary means to this end, according to European Union Regulation 2016/679, relating to Personal Data and its guiding principles (hereinafter the “Applicable Legislation”). This commitment is reflected in the implementation of technical and human resources, as well as appropriate organizational measures.
To this end, this appendix aims to describe the measures set in place to ensure the protection of Personal Data within the meaning of the Applicable Legislation that is processed within the framework of the agreement signed between the Parties (hereinafter the "Order") and for the provision of the services described in said Order (hereinafter the "Services"), and more specifically :

  • the processing of the Customer’s Personal Data within the framework of the execution and management of the Order;
  • the processing of Personal Data in the databases of D&B (Dutch database) and its partner DUN & BRADSTREET (international databases);
  • the processing of Personal Data communicated by the Customer for the performance of Services for which D&B acts as a subcontractor.
1. Processing of personal data for the execution and the management of the order
1.1 - D&B processes the following Customer’s Personal Data as a controller:
  • Personal Data relating to the signatory of the Order;
  • Personal Data of the contact person of the Order;
  • Personal Data of the Users of the Services.
1.2 - This Personal Data is processed by D&B for the purpose of performing the Order, including the setting of Users’ account necessary for the provision of certain Services. The information requested is mandatory; the lack of communication of such information may affect the performance of the Order and the provision of the Services provided for in the Order.
1.3 - When Personal Data has been collected by the Customer directly from the data subject, the Customer warrants and represents that:
  • the data subjects have been duly informed of the collection and processing of their Personal Data in accordance with the Applicable Legislation; where applicable, this information shall be supplemented with regard to the specific use of Personal Data that may be made, and
  • the consent of data subjects is obtained (where such consent is required).
1.4 - Depending on the purposes of the processing the grounds of such processing of Personal Data may vary. In that sense, data processing is generally necessary for : (i) the execution of an agreement or precontractual measures (for example for the management, processing, and monitoring of the Services provided for in the Order); (ii) the pursuit of D&B’s legitimate interests in the management and monitoring of its relationships, in particular commercial, with its customers, and in the organisation of its communication operations in general; and (iii) the compliance with legal and regulatory obligations imposed on D&B.
1.5 - The Personal Data thus collected will be kept for the duration of the Order and any renewals thereof, and for a maximum period of 10 (ten) years from the end of this Agreement, which is necessary to achieve the aforementioned purposes.
1.6 The Personal Data mentioned herein is intended for, depending on the Services concerned:
  • D&B;
  • or its partner DUN & BRADSTREET and the subsidiaries, affiliated entities and members of DUN & BRADSTREET’s Worldwide Network (hereinafter the “WWN”),
  • and possibly for their providers and/or contractual or commercial partners exclusively for the achievement of the aforementioned purposes.
Some of the collected Personal Data may be communicated to third parties outside of the European Union, exclusively for the purposes mentioned above. These third parties may be entities of the group to which D&B belongs, and have signed standard contractual clauses with D&B in order to regulate the transmission of information within the group, as well as to their providers and/or partners.
1.7 - In accordance with the Applicable Legislation, the data subjects concerned by the processing of Personal Data within the scope of this clause shall have (i) the right to query, access, correction, deletion and/or portability of their Personal Data, as well as the right to obtain the limitation of their processing and the right to object (to the processing of Personal Data, as well as to prospection, including commercial prospection), (ii) the right to set guidelines regarding the fate of Personal Data and the way data subjects wish these rights to be exercised after their death. These rights can be exercised by simple written request sent by post to the following address: Dun & Bradstreet BV, Montevideo Offices, Otto Reuchlinweg 1032, 3072 MD, Rotterdam, the Netherlands or by email at the following address: dpo@altares.com. For any further information relating to the protection of Personal Data, the Data Protection Officer appointed by D&B can be contacted at the following address: dpo@altares.com. The data subject may in any event file a complaint with the Dutch Data Protection Authority, in charge of the protection of Personal Data, if it is considered that Personal Data is not processed in accordance with the Applicable Legislation.
2. Processing of personal data in databases
2.1 Description and purpose
2.1.1 Processing of Dutch data by D&B as data controller
2.1.1.1 - D&B, as data controller, processes data on Dutch companies and their managers – sometimes including Personal Data – in order to offer business solutions that address “Risk Management”, “Sales & Marketing”, “Compliance” and “Data Management” issues, which contribute to the security of transactions by enabling companies to manage their financial risks, to develop a better knowledge of their customers, partners and suppliers, including for marketing purposes, and to comply with the various regulatory requirements applicable to their business, such as protection against fraud, corruption and money laundering.
2.1.1.2 In this context, Personal Data that may be processed is data of any kind relating to:
  • professional activity of the data subjects, including data relating to their identification (e.g. names, first names, date of birth) and their contact details (e.g. email, phone number),
  • professionallifeofthedatasubjects(e.g.capitallinkage,registrationnumber, DUNS® Number, company name,
  • registered office address),
  • economic and financial information (e.g. balance sheets, collective proceedings, legal announcements),
  • and more generally all Personal Data necessary for the aforementioned purposes
2.1.1.3 - The categories of data subjects are the following:
  • natural persons whose information is necessary to study Dutch companies, and in particular, statutory leaders or operational directors,
  • natural persons such as craft traders, traders, craftsmen, liberal professions, farmers and other individual entrepreneurs.
2.1.1.4 - The nature of the operations carried out on personal data is: collection, qualification, enhancement and analysis.

2.1.1.5 - Personal Data that may be processed may come (i) mainly from public sources, since the D&B Dutch database is based in particular on the Dutch registry of the Chamber of Commerce (Kamer van Koophandel), but also (ii) from private sources and (iii) from D&B’s Customers.

2.1.1.6 - The grounds for such processing of Personal Data may vary. In this respect, in general, data processing is necessary to (i) pursue D&B’s legitimate interests in offering products and services to help its Customers manage their financial risks and the relationship with their own customers; and (ii) pursue the legitimate interests of D&B’s Customers to use products and services that enable them to better manage their financial and commercial relationships, and (iii) to meet some of their regulatory obligations.
2.1.1.7 - The Personal Data thus collected will be kept for a period that varies according to their nature and the purpose for which it has been collected, in accordance with the legal retention periods.
2.1.2 The processing of international data by Dun & Bradstreet as data controller
2.1.2.1 - DUN & BRADSTREET, as data controller, processes data on companies and their managers all over the world – sometimes including Personal Data – in order to offer products and services helping its customers to make important business decisions.
2.1.2.2 - Personal Data that may be processed is data of any kind regarding the professional activity of data subjects, including data relating to:
  • their identification (e.g. names, first names, date of birth) and their contact details (e.g. email, phone number, fax number);
  • their professional life (e.g. capital links, registration number, DUNS® Number, company name, registered office address, professional contact details, function, domain name, professional associations);
  • economic and financial information (e.g. effective owner, balance sheets, collective proceedings, legal notices, payment histories, debts, assets), criminal convictions, offences and security measures (newspaper and press articles on criminal convictions);
  • and more generally all personal data necessary for the aforementioned purposes.
2.1.2.3 The categories of data subjects are the following: natural persons whose information is necessary to study companies all over the world, and in particular, individual companies, company managers, shareholders, administrators, professional contacts.
2.1.2.4 The nature of the operations carried out on Personal Data is: collection, qualification, enhancement and analysis.
2.1.2.5 - Personal Data that may be processed comes from DUN & BRADSTREET’s subsidiaries and affiliated entities, as well as members of DUN & BRADSTREET’s WWN. As such, they may come from (i) public sources (and in particular law enforcement agencies or public records) but also (ii) private sources.
2.1.2.6 - The grounds for such processing of personal data may vary. In this respect, in general, the processing of data is necessary to pursue DUN & BRADSTREET’s legitimate interests in offering commercial products and services to help its customers manage their financial risks and the relationship with their own customers. The Personal Data thus collected will be kept for a period that varies according to their nature and the purpose for which it has been collected, in accordance with the legal retention periods.
2.1.2.7 - The collected Personal Data is processed by DUN & BRADSTREET to create scores and ratings, as well as customized profiles for their customers. DUN & BRADSTREET does not make any decision regarding the entities present in its database, does not keep blacklists and does not make recommendations whether to enter into business with any entity to their customers.
2.2 The recipients of personal data
Personal Data is intended for D&B, its partner DUN & BRADSTREET and subsidiaries, affiliated entities and members of DUN & BRADSTREET’s WWN, their clients and possibly their providers and/or contractual or commercial partners exclusively for the achievement of the aforementioned purposes. Some of the Personal Data collected may be communicated in particular to third parties located outside of the European Union, exclusively for the purposes mentioned above. These third parties may be entities of the group to which D&B belongs and have signed standard contractual clauses with D&B in order to regulate the transmission of information within the group, as well as their providers and/or partners.
2.3 The rights of data subjects

2.3.1
In accordance with the Applicable Legislation, the data subjects have (i) the right to query, access, correction, deletion and portability of their Personal Data, as well as the right to obtain the limitation of their processing and the right to object (to the processing of their data, as well as to prospection, including commercial prospection), (ii) the right to set guidelines regarding the fate of Personal Data and the way data subjects wish these rights to be exercised after their death.

2.3.2
These rights can be exercised by simple written request accompanied by a copy of both sides of a signed identity document sent by post to the following address: Dun & Bradstreet BV, Montevideo Offices, Otto Reuchlinweg 1032, 3072 MD, Rotterdam, the Netherlands or by email at the following address: dpo@altares.com.

For any further information relating to the protection of personal data, the Data Protection Officer appointed by ALTARES - D&B can be contacted at the following address : dpo@altares.com.

2.3.3
Data subjects may in any event file a complaint with the Dutch Data Protection Authority, in charge of the protection of Personal Data, if it is considered that Personal Data is not processed in accordance with the Applicable Legislation.

D&B and DUN & BRADSTREET, as data controllers of their Dutch and international database, are committed, respectively, to comply with the provisions of European Union law and applicable regulations relating to the processing of Personal Data.

3. Processing of personal data communicated by the client for the provision of services by D&B as data processor
3.1 D&B's commitments
3.1.1 Presentation of the processing of Personal Data

3.1.1.1 - D&B may be given access to certain Personal Data as a processor, for the provision of certain Services. D&B may thus be required to process such Personal Data on behalf of the Customer, who is then acting as data controller, for the sole purpose of providing Services and for the duration of the Order.

3.1.1.2 - Personal Data that may be processed is data of any kind regarding the professional activity of data subjects, including data relating to:
  • their identification (e.g. names, first names, date of birth) and their contact details (e.g. email, phone number);
  • their professional life (e.g. capital links), economic and financial information (e.g. balance sheets, collective proceedings, legal announcements);
  • and more generally all Personal Data necessary for the execution of the Order.
3.1.1.3 - The categories of data subjects are: the clients, providers, partners and/ or prospects of the Customer, including natural persons whose information is necessary to provide the benefits and Services, and in particular, statutory leaders or operational managers.
3.1.1.4 - The nature of the operations carried out on Personal Data consists of qualification and enhancement.
3.1.2 Security and confidentiality
3.1.2.1 - D&B ensures to implement all relevant measures to preserve the security, and in particular the confidentiality, of any Personal Data to which it may have access or which may be communicated to them for the performance of the Order. Moreover, D&B undertakes to take all appropriate technical and organizational measures, considering the stage of knowledge, the costs of implementation and the nature, scope, context and purpose of the processing of Personal Data, which would be necessary for D&B and its employees to comply with these obligations of security, integrity and confidentiality.
3.1.2.2 In this context, D&B undertakes in particular:
  • Not to process, or consult Personal Data for other purposes than the performance of its obligations for the provision of the Services on behalf of the Customer under the Order;
  • To process or consult such Personal Data only according tot he Customer’s documented instructions (the Parties acknowledge that D&B acting within the framework of the execution of the Order falls in the notion of documented instruction), including regarding the transfers of Personal Data to a third country or to an international organization, unless it is required to do so under the European Union law or a Member State legislation, to which D&B is subject. In that case, D&B shall inform the Customer of this obligation before processing Personal Data, unless the applicable legislation prohibits such information for important reasons of public interest;
  • To take all necessary precautions to preserve the security of Personal Data to ensure that it is not deformed, damaged, that unauthorized third parties have access to it, and to prevent any access that is not previously authorized by the Customer;
  • To take all measures to (i) ensure the constant confidentiality, integrity, availability and resilience of the processing systems and services used, (ii) restore the availability of and access to Personal Data within an appropriate period in the event of a physical or technical incident, and (iii) regularly test, analyse and evaluate the effectiveness of these measures;
  • To ensure that the persons authorised to process such Personal Data are subject to an appropriate contractual or legal obligation of confidentiality;
  • and, at the end of the Order, according to the Customer’s instructions, to return the Personal Data processed on behalf of the Customer and to destroy any manual or computerized files storing said data, including any copies thereof, unless European Union law and/or Dutch legislation requires D&B to retain such Personal Data.
3.1.2.3 - The means implemented by D&B to ensure security and confidentiality of Personal Data shall be in accordance with the state of the art in this field. D&B undertakes to maintain these means throughout the execution of the Order and, otherwise, to inform immediately the Customer about it. In any case, D&B undertakes, in the event of a change of means aiming to ensure the security and confidentiality of such Personal Data, to replace them with means of equivalent or superior performance.
3.1.3 Sub-processing
3.1.3.1 - Customer acknowledges that D&B is entitled to use other processors (hereinafter referred as to “sub-processors”) to carry out specific processing activities. Sub-processors will be identified in the Orders.
3.1.3.2 - D&B shall inform the Customer, via the email communicated by the Customer in the Order, of any intended change regarding the addition or replacement of sub-processors. The Customer will then have forty-eight (48) hours from the date of receipt of this information to present his objections. This sub-contracting can only be carried out if the Customer did not object within the agreed period.
3.1.3.3 - D&B further undertakes that sub-processors will comply with the obligations of the Order as well as the Applicable Legislation. D&B undertakes to conclude for this purpose a written agreement with each sub-processor, it being specified that in case of non-compliance by a sub-processor with its obligations regarding the protection of personal data, D&B shall remain fully liable to the Customer.
3.1.4 Cooperation
3.1.4.1 - D&B as data processor also undertakes to assist the Customer, to the extent of its obligations under the Order and, where applicable, under operational and financial conditions to be agreed between the parties.

3.1.4.2 - To this end, D&B shall assist the Customer in the compliance with its own obligations regarding the security and confidentiality of Personal Data.

3.1.4.3 - D&B shall assist the Customer to carry out a Data Protection Impact Assessment (DPAI) on the protection of Personal Data if it is required by the nature of the processing, and where applicable, in any prior consultation of the control authority that may be necessary.
3.1.4.4 - D&B shall assist the Customer for the management of requests for the exercise of the rights granted to data subjects under the Applicable Legislation (right of access, rectification, deletion and portability of Personal Data, right to object and right to limit processing, right not to be the subject of an automated individual decision, including profiling) and the answers to be provided. The management of such requests is not D&B’s prerogative. Therefore, D&B shall not answer itself to this kind of requests. Nevertheless, it shall inform the Customer, via the email communicated by the Customer in the Order, of any request received in this regard. Upon Customer’s written request, D&B shall also communicate to Customer any information in its possession requested by Customer, which may be necessary for the processing of data subject requests and the preparation of appropriate responses for the exercise of their rights.
3.1.4.5 D&B shall assist the Customer to comply with the obligation of notification to the control and information authority of the data subject in case of a breach of personal data, i.e. any breach of security that accidentally or unlawfully results in the destruction, loss, alteration, disclosure or unauthorized access to Personal Data being processed. These obligations are not D&B’s responsibility. Therefore, D&B will not itself notify the control authority nor inform data subjects. However, it shall inform the Customer, via the email communicated by the Customer in the Order, as soon as possible after it becomes aware of any breach of Personal Data. Upon Customer’s written request, D&B will also communicate to Customer any information in its possession requested by the Customer and which would be necessary for the Customer to proceed with the aforementioned notification and information.

3.1.4.6 - D&B further undertakes to inform the Customer if, in its opinion, an instruction constitutes a violation of the Applicable Legislation or other provisions of Member States’ legislation relating to the protection of Personal Data to which D&B would be subject.
3.1.5 Verifications
3.1.5.1 - The Customer has the right to carry out any verification that it deems useful to ascertain whether D&B complies with its obligations regarding the protection of Personal Data, in particular by means of audits (or inspections). These verifications may be carried out by the Customer itself or by a third party it has selected, commissioned and mandated for this purpose, not being a competitor of D&B. In this context, D&B will provide the Customer or said third party the necessary information to enable these verifications to be carried out and to provide proof of compliance with the aforementioned obligations and undertakes to contribute to the said verifications by collaborating with the Customer.
3.1.5.2 - The number of audits that may be carried out during a contractual year is limited to one (1) audit, unless D&B seriously fails to meet its obligations, in which case the Customer may request an additional audit or an inspection.
3.1.5.3 - In view of these verification operations, the Customer will notify D&B by registered letter with acknowledgment of receipt at least thirty (30) days before the scheduled date of the audit or inspection and will include a detailed plan of its request in this notification.
3.1.5.4 - The audits shall be carried out at the Customer’s expense, including D&B’s internal costs, in particular the working days of its staff, it being specified that the price of one (1) working day will be charged € 850.00 excluding taxes.
3.1.5.5 - The duration of the verification operations will not exceed three (3) working days.
3.1.5.6 - Verification operations must take place during the normal business hours of D&B’s offices and will be conducted in a manner that does not interfere with the provision of the Services nor any other activity carried out by D&B for the benefit of its other Customers, who will always remain a priority over the performance of verification operations; D&B may at any time interrupt these verification operations if the provision of the Services or any other activity carried out by D&B for the benefit of its other customers requires that the resources and / or means used by the audits be mobilized for other purposes.
3.1.5.7 - It is expressly agreed that the following will not be subject to verification: any financial data or Personal Data that does not concern the Customer, any information whose disclosure could affect the security of D&B’s systems and / or data (e.g. risk for the confidentiality of information) or other D&B’s Customers, or the source code of the computer programs used in the provision of the Services.
3.1.5.8 - Any person in charge of verification may be admitted to a building of D&B or one of its processors only after declaration by the Customer of its identity; the Customer must ensure the probity of the persons mandated to carry out the verification operations, whether they are employed by the Customer or an external audit firm, and the Customer guarantees D&B that these persons respect absolute confidentiality of the information that may come to their attention in the context of these verification operations.
3.1.5.9 - The person in charge of the verification operations may not copy any document, file, data or information, in whole or in part, nor take photographs, digitize, or capture sound, video or computer recordings; he/she cannot ask for all or part of these elements to be provided or sent to him/her; D&B can organize a review of sensitive documents in a secure room (black room).
3.1.6 Data Protection Officer

D&B has designated a Data Protection Officer who may be contacted at the following address: dpo@altares.com.

3.1.7 Register of processing activities

D&B declares to keep a written record of the processing activities carried out on behalf of the Customer, in accordance with the Applicable Legislation.

3.2 Customer commitments
3.2.1 - The Customer, as data controller, is responsible for the processing of Personal Data implemented or made in connection with the provision of the Services. It guarantees D&B that it complies with the provisions of the Applicable Legislation.
3.2.2 - The Customer has documented in the Orders its instructions relating to the performance of said Order, and in particular the processing of Personal Data to be implemented in this context on its behalf by D&B.
3.2.3 As data controller, the Customer undertakes to ensure:
  • the lawfulness, fairness and transparency of the collection and processing of Personal Data (including information of data subjects, or collection of their consents when required, in particular due to the purpose or methods of processing or due to the Personal Data collected and processed);
  • That such Personal Data is only processed for a specific, explicit and legitimate purpose, and is not processed for subsequent purposes incompatible with that initial purpose;
  • That Personal Data collected and processed in connection with the provision of the Services is adequate, relevant, not excessive and limited to what is necessary in view of the purposes pursued, and that the collection of such data is not unlawful, especially if the processing includes Personal Data relating to offences, criminal conviction or security measures. The Customer undertakes not to process Personal Data under specific protection, except if necessary for the purpose of the processing and after obtaining the consent of the data subject, Personal Data under specific protection such as religious, union related, philosophical or political opinions or activities, health data and associated, biometric data, genetic data or data relating to life or sexual orientation of data subjects.
  • The quality, topicality, updating and accuracy of such Personal Data;
  • That Personal Data is kept in a form which allows the identification of data subjects only for a period no longer than is necessary for the purposes of the processing. In this regard, it is also the Customer’s responsibility to determine and communicate to D&B the desired retention periods for the Personal Data for it to be implemented in the context of the provision of 4. the Services, subject to any contrary regulatory, legal or contractual provisions requiring D&B to keep Personal Data for a different retention period;
  • That authorization for Personal Data is strictly limited to Users with a need to know, on the basis of the rule of least privilege;
  • The respect for the rights of data subjects (right of access, interrogation, rectification, opposition, deletion, limitation, portability, etc.) and to respond in the manner and within the time limits set by the provisions applicable to the requests made to this effect by the data subjects.
3.2.4 - The Customer releases D&B of any claim from data subjects whose data is processed, for the sole purpose of providing the Services.
3.2.5 - The Customer, as data controller, undertakes to provide D&B with all information and elements necessary to comply with its own obligations regarding the protection of Personal Data.
4. Cross-borders data transfers
4.1 - The Personal Data covered by this appendix, including the Customer’s Personal Data as D&B’s Customer Personal Data within databases and Personal Data communicated by the Customer for the provision of Services by D&B as a subcontractor, may be transferred to entities located:
  • in a Member State of the European Union, thus ensuring an adequate level of protection;
  • in a country benefiting from an adequacy decision by the European Commission, thus ensuring an adequate level of protection;
  • in a third country with which D&B and DUN & BRADTREET have concluded a specific agreement on data protection and standard contractual clauses, thus ensuring appropriate guarantees for the data subject.
4.2 - A copy of the guarantees put in place and detailed above can be obtained from the DPO of D&B, at the following email address: dpo@altares.com.